Date: Tue, 2 Jul 2002 18:12:26 +0200 From: "Marcel Dijk" <marcel.dijk@home.nl> To: <security@freebsd.org> Subject: Making a firewall more closed Message-ID: <01ea01c221e3$43a62550$0200a8c0@winxp>
next in thread | raw e-mail | index | archive | help
Yes, that works! Thanks very much for your help. Now I have another problem, I can log in to an FTP site but then I get this message: 227 Entering Passive Mode (212,120,66,212,248,134) Data Socket Error: Connection Failed I think I should open ports 1024 - 65535 ? But that would mean a great security risk? Thanks, Marcel. > You forgot about DNS. If you change rule 550 from > add 550 allow log udp from me to any 21,80 keep-state out > to > add 550 allow log udp from me to any 21,53,80 keep-state out > it should work. > > You may want to find out what IPs you use for DNS, and specifically allow > those addresses. > > I loaded your rules and im not having any problems now. > > > > On Monday 01 July 2002 07:05 pm, nascar24 wrote: > > This is my current ruleset: > > > > # allow loopback traffic > > add 100 allow ip from any to any via lo0 > > > > # protect loopback address > > add 200 deny log ip from 127.0.0.1 to any > > add 249 deny log ip from any to 127.0.0.1 > > > > # block spoofs > > add 400 deny log ip from me to any in via ed0 > > > > # enable NATD > > add 425 divert 8668 ip from any to any via ed0 > > > > # check dynamic rules > > add 450 check-state > > > > # make dynamic entries for all outgoing traffic > > add 500 allow log tcp from me to any 1-65535 keep-state out > > add 550 allow log udp from me to any 1-65535 keep-state out > > > > # services we offer to the world > > add 600 allow log tcp from any to me 22,5067,5617,8472,10000 keep-state in > > > > # pass ICMP > > add 700 allow log icmp from me to any out > > add 750 allow log icmp from any to me in > > > > # pass everything on private LAN > > add 800 allow log all from 192.168.0.0/16 to any > > add 850 allow log all from any to 192.168.0.0/16 > > > > # log rejects that have fallen through > > add 65000 deny log ip from any to any > > > > Whith this ruleset I can browse websites, FTP sites etc. > > > > But when I replace rules 500 and 550 with this: > > > > add 500 allow log tcp from me to any 21,80 keep-state out > > add 550 allow log udp from me to any 21,80 keep-state out > > > > I cannot acces any websites nor FTP sites. But I guess I had just allowed > > it? > > > > Or is the 'out' the problem here. > > > > Marcel. > > > > On Monday 01 July 2002 06:45 pm, nascar24 wrote: > > > What I mean is that I want to grand acces to the internet. But only to > > > ports I 'trust', like 80,21,22 etc. But when I make a rule like: > > > > > > add 550 allow ip from me to any 80,21,22 > > > > > > I cannot acces a website, that puzzles me. > > > > There is a problem with the rule in the example: You allowed traffic to > > leave > > through those ports, but not to enter. We can fix this rule: > > > > add 550 allow tcp from me to any 80,21,22 keep-state > > > > I noticed you already had a rule 550 - you may want to give it a different > > number. IPFW (running 4.5R here) gives the following error when trying to > > load your rule: > > > > ipfw: only TCP and UDP protocols are valid with port specifications > > > > hence why i changed it from ip to tcp. > > > > GL > > -- > ---------- > Ramsey G. Brenner > rgbrenner@myrealbox.com > http://rgbrenner.cjb.net/ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?01ea01c221e3$43a62550$0200a8c0>